Impact of Cyber crime on the Trust on Ecommerce Asia Pacific and China CERT CC 2006 Conference

30 March 2006

2 eBay Inc. confidential

Trust is a Critical Element to the Growth of eCommerce

eCommerce

• Trading Platforms like eBay

• Internet Banking like Citibank, Bank of China, PayPal

Cyber crime and Public Insecurity

• Media coverage of theft of data, internet crimes, botnets, spyware, etc

• Lack of Awareness of online safety and computer system security

Concerns of the Public Community

• Data privacy

• Theft of financial information

3 eBay Inc. confidential

Seller Fraud

• Account Takeover thru PHISHING

• SPAM Soliciting off-site deals

• Fake Escrow Sites

• Non-Performance of Transactions (False Listings)

• Fraudulent Misrepresentations

Our Concerns: Key Fraud Schemes

Top 4 fraud schemes are phishing-related

4 eBay Inc. confidential

Why is eBay and PayPal a target Phishing

• eBay – Open, global Marketplace with over 180 million users

• PayPal – Global Payment Platform with over 80 million users

• Phishing– Direct financial impact on our members– Erodes Trust in eBay and Paypal– Erodes Safety perception of the Internet

• Phishing is a very cost effective enterprise and is empowering criminal groups to build bigger networks

• It‘s is necessary to combine efforts from Law Enforcement agencies,Governments, Internet players and ISPs to fight this issue and strengthen our ability to respond to the next issue.

5 eBay Inc. confidential

Phishing Sites in Asia Pacific Region – March 13-19

Countries Number of PhishingSites

Korea 87

China 75

India 25

Thailand 25

Japan 9

Chinese Taipei 18

Australia 4

Hong Kong 5

Malaysia 3

Singapore 2

6 eBay Inc. confidential

Reported spoof sites – up 400% + YoY

Source: Anti-Phishing Working Group

7 eBay Inc. confidential

Source: Anti-Phishing Working Group

Reported spoof sites – Hosting countries

8 eBay Inc. confidential

China Construction Bank - Shanghai March 9, 2006

http://202.96.226.225/.www.eBay.com/sign-in.html?.ebay.com/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&migrateVisitor=

9 eBay Inc. confidential

Fake Companies are Created as well (escrow)

10 eBay Inc. confidential

What are we doing

•Social Response

•Technical Response

•Legislative Response/Judicial Response

11 eBay Inc. confidential

Social Response

• On site Education:– eBay Spoof hub and Security Center– eBay European Antiphishing Campaign– PayPal’s communication efforts regarding security

• Off site education– http://www.getsafeonline.org/ and similar initiatives – Educating Police and Gov’t

12 eBay Inc. confidential

Education and Transparency Tutorials

• Step-by-step lessons in areas such as Spoof

13 eBay Inc. confidential

Education & Awareness Onsite & DM Campaigns

14 eBay Inc. confidential

http://pages.ebay.co.uk/safetycentre/index.html

15 eBay Inc. confidential

••

PayPal Security Center Website

16 eBay Inc. confidential

•

Identity Protection Checklist

17 eBay Inc. confidential

•

Identify Theft Victims GuideWhat to do if you are a victim of identity theft

•

18 eBay Inc. confidential

Technical Response

• Toolbar/My Messages

• Proactive Detection (risk models, Site Ops)

• Communication policy changes

• Spoof Handling team

• Internal detection System/reporting– Preventative measures in detecting unauthorized access/spoof

spoof@ebay.com and spoof@paypal.com addresses– Toolbar reporting system

• Working with email hosting services to find ways for them to not deliver email that only appears to be from eBay/PayPal

• Phish Report Network – browsers/ISP’s don’t allow people to get to Phishing sites

19 eBay Inc. confidential

1

Toolbar with Account Guard

• Our primary tool to help users• protect themselves against spoof• websites

• How it works:• Account Guard turns green when on

eBay or PayPal sites

• Account Guard turns red when on identified spoof sites

• Pop up alerts user before allowing them to proceed

• Password protection alerts user when about to enter their eBay or PayPal passwords on other websites

2

3

4

Site does not have to be fraudulent

20 eBay Inc. confidential

Toolbar Turns Red

21 eBay Inc. confidential

Legislative/Judicial Response

• Working closely with Law Enforcement, Gov’t and ISPs

Past and current initiatives:• Phish Report Network – browsers/ISP’s don’t allow people to get to Phishing

sites• Training to LE and Prosecutors• Attending Working groups with Gov’t to help defining the issue and support

action plan• Work with Internet Provider Association to gain ISP support• Affidavits sent to ATO victims to facilitate reporting• Build network to get support in spoof escalations and reduce takedown timeLonger term objective:• Support Anti-phishing laws and harmonization across the countries• Raise Industry, LE Gov’t awareness on this issue• Get the relevant industry partners aboard• Gain stronger support from ISP industry

22 eBay Inc. confidential

Japan – Engineer Arrested

23 eBay Inc. confidential

First Arrest in a Phishing Case in India

24 eBay Inc. confidential

Conclusion

Partnership

• Public Awareness Campaign

• Police and Govt Awareness Campaign

• Uniform standards and guidelines on internet and computer system security across all industry

25 eBay Inc. confidential

A new hobby for Dilbert a big issue for the Industry

26 eBay Inc. confidential

Thank You

Michael Pak

eBay, Asia Pacific

Trust and Safety Department

Mob: +8211-713-2252

mpak@ebay.com

Skype id: pak1811